When Donald Trump took the oath of office to become the 45th President of the United States, he also gained access to the official @POTUS Twitter account. Until Thursday afternoon, that account was registered to a non-government email address.

The registration to a private email account was first pointed out by a hacker, who goes by WauchulaGhost, who shared the information on Twitter with a warning that Trump and his staff should change the emails and fix their security settings.

The @FLOTUS account belonging to Melania Trump, @PressSec account handed to press secretary Sean Spicer and @VP account held by Vice President Mike Pence all were registered to private emails accounts.

WauchulaGhost, noteworthy for his previous efforts to hack pro-ISIS Twitter accounts and replace their content with pornographic images and messages of gay pride, didn’t make his way into any off the official accounts of the new administration but did out the email addresses used to set up the accounts.

According to the hacker, the email addresses included trumpmelania2017@gmail.com for @FLOTUS, PressSec2017@gmail.com for @PressSec, and vicepresident2017@gmail.com for @VP.

The @POTUS account was reportedly linked to a Gmail address belonging to Dan Scavino, the White House director of social media and a long time Trump confidant who started as a golf caddie for the now-President.

All of this information was made available because the account holders and those setting up the accounts failed to make use of two-factor authentication, a basic security tool that requires users provide a phone number or email address associated with the account to start the process of a password reset.

Without two-factor authentication in place, Twitter serves up a redacted version of the email address linked to the account. That information is often all a person needs to decipher the full address. From there, a hacker could access the connected email account using phishing schemes, malware, brute force or just a lucky guess.

Were a hacker able to make their way into one of the linked email addresses, they could request a password reset on the Twitter account and intercept the email, allowing them to take control of a Twitter account belonging to one of the most important members of the U.S. government.

Given that single tweets from Donald Trump’s personal account have shifted the stock market and essentially issued new policy for the country, there could be real damage done were his account to be compromised.

The linked email addresses have since been changed, and the accounts are now linked to government email addresses hosted on WhiteHouse.gov.

The security woes weren’t made any better on Thursday as press secretary Sean Spicer appeared to accidentally tweet out what may have been his password to the @PressSec account.

It’s unclear if the random string of letters and numbers Spicer tweeted were just the result of him keeping his phone in his pocket or truly was a piece of his login information—likely part of a password manager or a two-step authentication process. It’s the second time in as many days Spicer has tweeted out an eight-character string before deleting it.